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DETAILED ACTION 

1 . This communication is a First Action Non-Final on the merits. Claims 1-28, as originally 
filed, are currently pending and have been considered below. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-3, 7-11, and 13-14 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Abrahams (2005/0086090) in view of Beverina (2001/0027389). 

As per claim 1, Abrahams teaches a method of managing risk related to a successful 
completion of a development project, comprising: 

storing a probability of occurrence (Pf) table (via Table 1, that shows an example of 
different risk probabilities. Table 1, p. 4) and a severity of consequence (Cf) table (via Table 2, 
that shows an example of different risk consequences, Table 2, p. 4), identified risks and existing 
risk mitigation plans in a shared risk database (Fig. IC shows a template for an identified risk, 
and control [mitigation] plans, said information must inherently be stored within a database); and 

viewing the Pf table to select a probability of occurrence Pf for said at least one 
risk; (via Table 1, that shows an example of different risk probabilities, Table 1, p. 4) 

viewing the Cf table to select a severity of consequence Cf for said at least one 
risk, (via Table 2, that shows an example of different risk consequences. Table 2, p. 4) said Pf 
and Cf being combined and ranked to define prioritized risk factor Rf (a user selects inherent 
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values of likelihood [Pf] and consequence for a risk [Cf} , and . . . the system then calculations 
residual levels of likelihood, consequence and risk rating for the risk [Pf], ^1 6, lines 6-11), 

However, Abrahams fails to explicitly disclose 

via a web browser, a plurality of users, 

formulating an enterprise search of the risk database to identify at least one risk, 
formulating a mitigation search of the risk database to identify existing risk 
mitigation plans for the identified risk to enhance the development of new mitigation plans or 
share with other programs the resources to implement the mitigation plan. 

Beverina in the same field of endeavor [risk management systems] teaches a web browser 
(Fig. 3), a plurality of users (Fig. 1), formulating an enterprise search of the risk database to 
identify at least one risk (via T| 361, "the user can also search the sites for particular information" 
where the particular information is a risk, and formulating a mitigation search of the risk 
database to identify existing risk mitigation plans for the identified risk to enhance the 
development of new mitigation plans or share with other programs the resources to implement 
the mitigation plan, (via "risk mitigation [that] also uses threat and countermeasure 
characteristics in making decisions. Various countermeasures are compared to the specific threat 
to determine which ones are most effective at mitigating the risk of the threat against the target", 
Examiner construes this to be the equivalent of a mitigation plan search as it evaluates existing 
plans to provide the user with the best alternatives. 307, lines 9-13) 

It would have been obvious to one skilled in the art at the time of invention to combine 
the risk management system taught by Abrahams with the risk management system features of 
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Beverina. Motivation for the combination is a system with more features that should produce 
better risk management analysis and techniques. 

As per claim 2, Abrahams teaches the method wherein the probability of occurrence table 
has a plurality of risk categories, each said category having table entries that include 
standardized qualitative probability definitions, (via Table 1, p. 4, that shows the plurality of 
categories ranging from rare to almost certain, and the standardized qualitative probability 
definitions for each category of risk) 

As per claim 3, Abrahams discloses the method further comprising tailoring the 
probability of occurrence table to the select few categories that are relevant to the development 
project. (Tf 6, lines 7-8 teach that a user can select inherent values of likelihood and consequence 
for a risk [this data coming from Table 1 on p. 4]). However, Abrahams fails to explicitly 
disclose that this is done via a web browser. Beverina, in the same field of endeavor [risk 
management systems], teaches a browser based risk management system. It would have been 
obvious to one skilled in the art at the time of the invention to use the system taught by 
Abrahams in a web based environment as taught by Beverina. Motivation to combine the two is 
present as a web based risk management system allows users in remote locations to easily 
modify and update risk profiles. 

As per claim 7, Abrahams fails to explicitly disclose the method wherein the enterprise 
search includes a combination of at least two parameters including current or historic, risk factor, 
vendor, component, fimctional area, category, key work in risk title, key work in risk description, 
IPT, actionee, actionee/team, lead/submitter, or risk number. However, Beverina, in the same 
field of endeavor [risk management systems], teaches searches "by categories such as threat 
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type, risk, score and others" (Tl 363, lines 3-5). Examiner construes risk to be the current risk 
factor, and threat type to be the category. It would have been obvious to one skilled in the art at 
the time of invention to combine the risk management system taught by Abrahams with the risk 
management system search features of Beverina. Motivation for the combination is a system 
where users have easier access to past records, and therefore can use past results easier. 

As per claim 8, Abrahams teaches at least one risk including a combination of risk 
number, program, risk title and a current risk factor (Fig. IB displays the risk number next to the 
risk, and a program is detailed under each consequence [Examiner construes a program to be a 
series of steps, in this case the program is the corrective controls], Fig. IC displays the title, as 
well as the risk rating). However, Abrahams fails to explicitly disclose that this information is 
retrieved via a search. Beverina, in the same field of endeavor [risk management systems], 
teaches searches "by categories such as threat type, risk, score and others" (T| 363, lines 3-5). It 
would have been obvious to one skilled in the art at the time of invention to combine the risk 
management system taught by Abrahams with the risk management system search features of 
Beverina. Motivation for the combination is a system where users have easier access to past 
records, and therefore can use past results easier. 

As per claim 9, Abrahams fails to explicitly disclose the method wherein the web 
browser provides a transfer link from said at least one risk with its risk mitigation plan to import 
the selected risk and mitigation plan into another program. However, Beverina, in the same field 
of endeavor [risk management systems], teaches that "Results from local VAT 200 sessions are 
transferred to the TIMS 130, in the form of the VAT Database 220, and stored in a database 
along with sessions from other sites." 364) Fig. 1 further illustrates this detail as risk 
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mitigation plans are created and stored, until they are imported into the TIMS program. It would 
have been obvious to one skilled in the art at the time of invention to combine the risk 
management system taught by Abrahams with the risk management system features of Beverina. 
Motivation for the combination is a system with more features that should produce better risk 
management analysis and techniques. 

As per claim 10, Abrahams fails to explicitly disclose the method wherein the mitigation 
search includes a combination of at least two parameters including a risk description, risk status, 
start date, original planned complete date, planned complete date, and complete date. However, 
Beverina, in the same field of endeavor [risk management systems], teaches that users can 
"search and browse the data from the individual VAT 200 sessions by categories such as threat 
type, risk, score and others." (T| 363) Figure 50 shows a calendar within that VAT 200 for entry 
of start and completion dates. A user therefore, would be able to do a mitigation search 
including the parameters of start date and complete date. It would have been obvious to one 
skilled in the art at the time of invention to combine the risk management system taught by 
Abrahams with the risk management system features of Beverina. Motivation for the 
combination is a system with more features that should produce better risk management analysis 
and techniques. 

As per claim 11, Abrahams fails to explicitly disclose the method further including 
automatically generating risk reports including identified risks, prioritized risk factors, and 
mitigation plans. However, Beverina, in the same field of endeavor [risk management systems], 
teaches that users can "create, edit and delete report formats to create new and customized 
reports to meet fixture needs" (TI 374, lines 6-7). A user would be enabled to create risk reports 



Application/ Control Number: 10/661,756 Page 7 

Art Unit: 4127 

including the identified risk, prioritized risk factors, and mitigation plans. It would have been 
obvious to one skilled in the art at the time of invention to combine the risk management system 
taught by Abrahams with the risk management reporting feature of Beverina. Motivation for the 
combination is a system with more features that should produce better risk management analysis 
and techniques as well as easier sharing of information. 

As per claim 13, Abrahams fails to explicitly disclose the method wherein the web 
browser has an interface that includes a menu bar with pull-down menu items and menu sub- 
items for viewing the current program, conducting the enterprise search and conducting the 
mitigation search and hyperlinks to the Pf and Cf tables. However, Beverina, in the same field of 
endeavor [risk management systems] teaches a web browser (Fig. 3), with pull-down menu items 
[viewable in the drawing] and menu sub-items for viewing the current program [viewable in the 
drawing], conducting the enterprise search [via the search box] and conducting the mitigation 
search [via the search box] and hyperlinks to the Pf and Cf tables [via the THREATS and 
VULNERABILITY hyperlinks in the drawing]. It would have been obvious to one skilled in the 
art at the time of invention to combine the risk management system taught by Abrahams with the 
web based feature of Beverina. Motivation for the combination is a system with more features 
that should produce better risk management analysis and techniques as well as easier navigation 
of information. 

As per claim 14, Abrahams teaches the method wherein the identified risks, risk factors, 
and mitigation plans for each user are stored in the shared risk database. Figure IB shows the 
"knowledge base" construed by Examiner to be a database, containing identified risks, risk 
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factors, and mitigation plans [Examiner construes the corrective control and the preventative 
control to be a mitigation plan]. 

4. Claims 4-6, 12, and 15-18 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Abrahams (2005/0086090) and Beverina (2001/0027389) in view of Examiner's Official Notice. 

As per claim 4, the combination of Abrahams and Beverina teaches the claimed invention 
as mentioned in claim 1, above. Abrahams fiirther teaches the method wherein the severity of 
consequence table has a schedule impact category with the table entries having a cost impact 
category with the table entries specifying multiple sub-categories of cost impacts in actual 
dollars for the development project. (Table 2, p. 4) However, the Abrahams and Beverina 
combination fails to exphcitly disclose table entries specifying an amount in days, weeks or 
months. Examiner takes Official Notice that it is old and well known in the art of project 
management to measure negative impacts upon projects like delays in units of time such as days, 
weeks, or months. It would have been obvious to one skilled in the art at the time of invention to 
combine the table taught by Abrahams and Beverina with Examiner's Official Notice. 
Motivation to combine is to have an additional quantifiable way to measure consequences of a 
particular outcome. 

As per claim 5, Abrahams teaches the method wherein said multiple sub-categories 
include development cost (NRE), unit cost (DTC) and operations and support (O/S) categories, 
(via "in one mode of use, the inherent risk impact cost is aggregated over the inherent cost of 
each consequence of the risk" where consequences of each risk would inherently include 
development cost, unit cost, and operations and support costs, T| 7, lines 15-17) 
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As per claim 6, the combination of Abrahams and Beverina and Examiner's Official 
Notice teaches the claimed invention as mentioned in claim 4, above. Abrahams further teaches 
the method further comprising the severity of consequence table to select the cost impact sub- 
categories and specify their dollar amounts (Table 2, p. 4 shows the severity of consequence 
table which includes cost impact sub-categories and dollar ranges.) 

As per claim 12, the combination of Abrahams and Beverina teaches the claimed 
invention as mentioned in claim 11, above. However, the Abrahams and Beverina combination 
fails to exphcitly teach the method wherein a risk review board (RRB) report is generated by 
submitting minutes for a RRB meeting by entering information for each risk covered during a 
RRB meeting and entering the date of the RRB meeting; and submitting the minutes to generate 
the RRB report including Number, Title, Actionee, Rf, Risk Level and Comments for each risk. 
Examiner takes Official Notice that it is old and well known in the art of meetings to generate 
and submit minutes. Examiner further takes Official Notice that it is old and well known in the 
art of recording minutes to record topics discussed as well as the date of the meeting. Beverina, 
teaches that clauses of a report can include "Data values in the database and results from simple 
queries of the database that return text or simple data values" (T| 429-432). These results would 
include information such as Risk Factors, Risk Level and Comments. It would have been 
obvious to one skilled in the art at the time of invention to combine the system of Abrahams with 
the reporting features of Beverina in view of Examiner's Official Notice. Motivation to combine 
is increased communication within a risk management setting. 

As per claim 15, Abrahams teaches s method of managing risk related to a successful 
completion of a development project, comprising: 
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tailoring a probability of occurrence (Pf) table having a number of risk categories to have 
a fewer number of said risk categories that are relevant to the development project, each said 
category having table entries that include standardized qualitative probability definitions; (via 
Table 1, page 4) 

identifying a plurality of risks relating to the successfiil completion of the development 
project; (Fig. IB displays a plurality of risks) 

assigning a risk factor (Rf) to each risk by selecting the table entry Pf for the risk 
category in the Pf table that most closely describes the risk, selecting the table entries Cf for the 
cost impact and schedule impact categories in the Cf table, computing a function of Pf and Cf 
and keeping the highest risk factor Rf (Fig. IC shows the for a given risk the Residual likelihood 
[risk factor], the cost impact [inherent risk impact cost], schedule impact [residual risk impact 
cost], and a fimction of Pf and Cf, the highest risk factor [inherent risk rating], these factors are 
calculated using Tables 1 and 2 on p. 4) 

having a cost impact category with table entries specifying multiple sub-categories of 
cost impacts in actual dollars for the development project (via Table 2, that shows an example of 
different risk consequences. Table 2, p. 4) 

However, Abrahams fails to explicitly disclose tailoring a severity of consequence (Cf) 
table having a schedule impact category with table entries specifying an amount in days, weeks 
or months, and prioritizing the risks based on the assigned risk factors Rf Beverina, in the same 
field of endeavor [risk management systems], teaches "Clicking on a column heading will sort 
and group the table based on that column" (Fig. 16, where the Probability of attack is the risk 
factor). It would have been obvious to one skilled in the art at the time of invention to combine 
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the method of Abrahams with the organization tools of Beverina. Motivation to combine is a 
risk management method with better risk organization tools. 

Examiner takes Official Notice that it is old and well known in the art of project 
management to measure negative impacts upon projects like delays in units of time such as days, 
weeks, or months. It would have been obvious to one skilled in the art at the time of invention to 
combine the system of Abrahams with the sorting of Beverina in view of Examiner's Official 
Notice. Motivation to combine is to have an additional quantifiable way to measure 
consequences of a particular outcome as well as an easy way to sort the results. 

As per claim 16, Abrahams teaches the method wherein said multiple sub-categories 
include development cost (NRE), unit cost (DTC) and operations and support (0/S) categories, 
(via "in one mode of use, the inherent risk impact cost is aggregated over the inherent cost of 
each consequence of the risk" where consequences of each risk would inherently include 
development cost, unit cost, and operations and support costs, ^ 1, lines 15-17) 

As per claim 17, Abrahams fails to explicitly disclose the method wherein the risk factor 
Rf is the product of Pf and Cf However, Beverina in the same field of endeavor [risk 
management systems] teaches "calculating a probability that an event will occur; calculating a 
vulnerability to the event; and calculating a relative risk based on the probability and 
vulnerability" (Claim 13) It would have been obvious to one skilled in the art at the time of 
invention to combine the system of Abrahams with the calculations of Beverina. Motivation to 
combine is to quantify the risk factors in such a fashion that they can be compared. 

As per claim 18, Abrahams teaches the ability to tailor the Pf and Cf tables (via Table 1 
and Table 2, p. 4) and that they are in the same database (Fig. IC shows a template for an 
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identified risk, and control [mitigation] plans, said information must inherently be stored within a 
database). However, Abrahams fails to explicitly disclose that they are available via a web 
browser and that a plurality of users have access. Beverina in the same field of endeavor [risk 
management systems] teaches a plurality of users (Fig. 1), and a web browser (Fig. 3). It would 
have been obvious to one skilled in the art at the time of invention to combine the risk 
management system taught by Abrahams with the risk management system features of Beverina. 
Motivation for the combination is a system with easier access to more users. 
5. Claims 19-20 are rejected under 35 U.S.C. 103(a) as being unpatentable over Abrahams 
(2005/0086090) and Beverina (2001/0027389) in view of Heinrich (6,895,383). 

As per claim 19, Abrahams teaches a web-based risk management system for managing 
risk related to a successfiil completion of a development project, comprising: 

a server comprising a shared risk database that stores a probability of occurrence (Pf) 
table (via Table 1, that shows an example of different risk probabilities, Table 1, p. 4) and a 
severity of consequence (Cf) table (via Table 2, that shows an example of different risk 
consequences, Table 2, p. 4), risk identification information and risk mitigation information (Fig. 
IC shows a template for an identified risk, and control [mitigation] plans, where said information 
must inherently be stored within a database); 

However, Abrahams fails to explicitly disclose a web-based risk management tool on the 
server that provides standardized interfaces for searching, viewing and entering information to 
and from the shared risk database via a web browser, an infranet, and a plurality of computer 
workstations in communication with the server via the intranet, each said workstation provided 
with a web browser to search the database using the standardized interfaces to identify risks, to 
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select entries from the Pf and Cf tables to calculate and prioritize a risk factor Rf for each risk, 
and to search the database to identify existing risk mitigation plans for the prioritized risks. 

Beverina, in the same field of endeavor [risk management systems] teaches each said 
work station provided with a web browser to search the database using the standardized 
interfaces to identify risks (Fig. 3), to select entries from the Pf and Cf tables [via the THREATS 
and VULNERABILITY hyperlinks in the drawing], to calculate and prioritize a risk factor Rf for 
each risk (where the calculation is accomplished by "calculating a probability that an event will 
occur; calculating a vulnerability to the event; and calculating a relative risk based on the 
probability and vulnerability", Claim 13, and prioritizing a risk factor is done by "clicking on a 
column heading will sort and group the table based on that column", Fig. 16). It would have 
been obvious to one skilled in the art at the time of invention to combine the system taught by 
Abrahams with the browser abilities of Beverina. Motivation to combine is easier access to the 
system. 

However, Abrahams and Beverina both fail to disclose an intranet and a plurality of 
workstations in communication with the server via the intranet. Heinrich, in the same field of 
endeavor [risk management] teaches "a system containing a user computer, a network, and a 
security computer", (Col. 15, lines 46-47) and that the network "may also represent a corporate 
extranet or intranet" (Col. 15, lines 53-55). It would have been obvious to one skilled in the art 
at the time of invention to combine the combination of Abrahams and Beverina with the network 
of Heinrich. Motivation for the combination is to create a risk management system with easy 
system interaction and easy user conmiunication. 
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As per claim 20, Abrahams fails to explicitly disclose the method wherein the web 
browser has an interface that includes a menu bar with pull-down menu items and menu sub- 
items for viewing the current program, conducting the enterprise search and conducting the 
mitigation search and hyperlinks to the Pf and Cf tables. However, Beverina, in the same field of 
endeavor [risk management systems] teaches a web browser (Fig. 3), with pull-down menu items 
[viewable in the drawing] and menu sub-items for viewing the current program [viewable in the 
drawing], conducting the enterprise search [via the search box] and conducting the mitigation 
search [via the search box] and hyperlinks to the Pf and Cf tables [via the THREATS and 
VULNERABILITY hyperlinks in the drawing]. It would have been obvious to one skilled in the 
art at the time of invention to combine the risk management system taught by Abrahams with the 
web based feature of Beverina. Motivation for the combination is a system with more features 
that should produce better risk management analysis and techniques as well as easier navigation 
of information. 

6. Claims 21-28 are rejected under 35 U.S.C. 103(a) as being unpatentable over Abrahams 
(2005/0086090), Beverina (2001/0027389), and Heinrich (6,895,383) in view of Examiner's 
Official Notice. 

As per claim 21, the combination of Abrahams, Beverina and Heinrich teaches the 
claimed invention as mentioned in claim 19, above. Abrahams further teaches the system 
wherein the PF table has a plurality of risk categories, each said category having table entries 
that include standardized qualitative probability definitions (via Table 1, that shows an example 
of different risk probabilities. Table 1, p. 4) and the Cf table having a cost impact category with 
table entries for specifying multiple sub-categories of cost impacts in actual dollars for the 



Application/ Control Number: 10/661,756 Page 15 

Art Unit: 4127 

development project, (via Table 2, that shows an example of different sub-categories, Table 2, p. 
4) and tailoring the Pf table to have few categories that are relevant to the current project 6, 
lines 7-8 teach that a user can select inherent values of likelihood and consequence for a risk 
[this data coming from Table 1 on p. 4]). 

However, the Abrahams, Beverina and Heinrich combination fails to teach a schedule impact 
category with table entries for specifying a schedule impact amount in days, weeks or months 
and a web browser providing adminisfrative access. 

Examiner takes Official Notice that it is old and well known in the art of project 
management to measure negative impacts upon projects like delays in units of time such as days, 
weeks, or months. It would have been obvious to one skilled in the art at the time of invention to 
combine the table taught by Abrahams and Heinrich with Examiner's Official Notice. 
Motivation to combine is to have an additional quantifiable way to measure consequences of a 
particular outcome. 

Beverina, fiirther teaches a web browser (Fig. 3), and administrative access (via Fig. 1 
where the Senior Contmiander is the administrative access). It would have been obvious to one 
skilled in the art at the time of invention to combine the system of Abrahams, Beverina, and 

Heinrich in view of Examiner's Official Notice with the additional features of Beverina. 
Motivation to combine is to create a risk management system with more detailed information and 
easier access. 

As per claim 22, the Abrahams and Heinrich combination fails to explicitly disclose the 
system wherein the workstation via the web browser submits an enterprise search that includes a 
combination of at least two parameters including current or historic, risk factor, vendor. 
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component, functional area, category, key word in risk title, key word in risk description, IPX, 
actionee, actionee/team lead/submitter or risk number and the server returns via the web browser 
an enterprise search results list including for at least one risk a combination of risk number, 
program, risk title, a current risk factor and its risk mitigation plan.. However, Beverina, in the 
same field of endeavor [risk management systems], teaches searches "by categories such as 
threat type, risk, score and others". Examiner construes risk to be the current risk factor, and 
threat t5^e to be the category. Beverina fiirther teaches that users can "search and browse the 
data from the individual VAT 200 sessions by categories such as threat type, risk, score and 
others." (TI 363) Figure 50 shows a calendar within that VAT 200 for entry of start and 
completion dates. A user therefore, would be able to do a mitigation search including the 
parameters of start date and complete date. Finally, Beverina teaches a web browser enterprise 
search (Fig. 3 via the search option). It would have been obvious to one skilled in the art at the 
time of invention to combine the system of Abrahams and Heinrich with the tools of Beverina. 
Motivation to combine is creation of a risk management system with easier access to information 
and ease of modification. 

As per claim 23, the Abrahams and Heinrich combination fails to explicitly disclose the 
system wherein the workstation via the web browser submits a mitigation search that includes a 
combination of at least two parameters including a risk description, risk status, start date, original 
planned complete date, planned complete date and complete date and the server returns existing 
mitigation plans that satisfy the search parameters. However, Beverina, in the same field of 
endeavor [risk management systems], teaches that users can "search and browse the data from 
the individual VAT 200 sessions by categories such as threat type, risk, score and others." (T| 
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363) Figure 50 shows a calendar within that VAT 200 for entry of start and completion dates. A 
user therefore, would be able to do a mitigation search including the parameters of start date and 
complete date. It would have been obvious to one skilled in the art at the time of invention to 
combine the risk management system taught by Abrahams and Heinrich with the risk 
management system features of Beverina. Motivation for the combination is a system with more 
features that should produce better risk management analysis and techniques. 

As per claim 24, the Abrahams and Heinrich combination fails to explicitly disclose the 
system wherein the workstations automatically submit identified risks, risk factors and mitigation 
plans to the shared database, said server automatically generating risk reports including 
identified risks, prioritized risk factors and mitigation plans for the current project. However, 
Beverina, in the same field of endeavor [risk management systems], teaches that users can 
"create, edit and delete report formats to create new and customized reports to meet fixture 
needs" 374, lines 6-7). A user would be enabled to create risk reports including the identified 
risk, prioritizeed risk factors, and mitigation plans. It would have been obvious to one skilled in 
the art at the time of invention to combine the risk management system taught by Abrahams and 
Heinrich with the risk management reporting feature of Beverina. Motivation for the 
combination is a system with more features that should produce better risk management analysis 
and techniques as well as easier sharing of information. 

As per claim 25, Abrahams teaches a web-based risk management system for managing 
risk related to a successful completion of a development project, comprising: a server comprising 
a shared risk database that stores a probability of occurrence (Pf) (via Table 1, that shows an 
example of different risk probabilities. Table 1, p. 4) table having a number of risk categories 
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and a severity of consequence (Cf) having a cost impact category with table entries specifying 
multiple sub-categories of cost impacts in actual dollars for the development project, (via Table 
2, that shows an example of different sub-categories, Table 2, p. 4), risk identification 
information and risk mitigation information (Fig. IC shows a template for an identified risk, and 
control [mitigation] plans); 

However, Abrahams fails to explicitly disclose a Cf table having a schedule impact 
category with table entries specifying an amount in days, weeks, or moths; 

a web-based risk management tool on the server that provides standardized interfaces 
having a menu bar with menu items and menu sub-items for searching, viewing and entering 
information to and from the shared risk data and hyperlinks to the Pf and Cf tables base via a 
web browser; 

an intranet; 

a computer workstation in communication with the server via the intranet, said 
workstation provided with a web browser for tailoring the Pf table to have a fewer number of 
said risk categories and the Cf table to specify the dollar amounts for the cost impact sub- 
categories and the days, weeks or months for the schedule impact; 

a plurality of computer workstations in communication with the server via the intranet, 
each said workstation provided with a web browser to search the database to identify risks, to 
select entries from the tailored Pf and Cf tables to calculate and prioritize a risk factor Rf for 
each risk, to search the database to identify risk mitigation information for the prioritized risks 
and to track and report on the status of identified risks. 



Application/ Control Number: 10/661,756 Page 1 9 

Art Unit: 4127 

Examiner takes Official Notice that it is old and well known in the art of project 
management to measure negative impacts upon projects like delays in units of time such as days, 
weeks, or months. It would have been obvious to one skilled in the art at the time of invention to 
combine the table taught by Abrahams with Examiner's Official Notice. Motivation to combine 
is to have an additional quantifiable way to measure consequences of a particular outcome. 

Beverina, in the same field of endeavor [risk management systems] teaches each said 
work station provided with a web browser to search the database using the standardized 
interfaces to identify risks (Fig. 3), to select entries from the Pf and Cf tables [via the THREATS 
and VULNERABILITY hyperlinks in the drawing], to calculate and prioritize a risk factor Rf for 
each risk (where the calculation is accomplished by "calculating a probability that an event will 
occur; calculating a vulnerability to the event; and calculating a relative risk based on the 
probability and vulnerability". Claim 13, and prioritizing a risk factor is done by "cUcking on a 
column heading will sort and group the table based on that column", Fig. 16) Beverina, further 
teaches that users can "create, edit and delete report formats to create new and customized 
reports to meet future needs" (TI 374, lines 6-7). A user would be enabled to create risk reports 
including the identified risk, prioritized risk factors, and mitigation plans. It would have been 
obvious to one skilled in the art at the time of invention to combine the system taught by 
Abrahams in view of Examiner's Official Notice with the features of Beverina. Motivation to 
combine is an easier to understand risk management system 

However, Abrahams, Beverina, and Examiner's Official Notice all fail to disclose an 
intranet and a plurality of workstations in communication with the server via the intranet. 
Heinrich, in the same field of endeavor [risk management] teaches "a system containing a user 
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computer, a network, and a security computer", (Col. 15, lines 46-47) and that the network "may 
also represent a corporate extranet or intranet" (Col. 15, lines 53-55). It would have been 
obvious to one skilled in the art at the time of invention to combine the combination of 
Abrahams in view of Examiner's Official Notice and Beverina with Heinrich. Motivation for the 
combination is to create a risk management system with easy system interaction and easy user 
communication. 

As per claim 26, Abrahams teaches the method wherein said multiple sub-categories 
include development cost (NRE), unit cost (DTC) and operations and support (0/S) categories, 
(via "in one mode of use, the inherent risk impact cost is aggregated over the inherent cost of 
each consequence of the risk" where consequences of each risk would inherently include 
development cost, unit cost, and operations and support costs, T| 7, lines 15-17) 

As per claim 27, the combination of Abrahams in view of Examiner's Official Notice and 
Heinrich fails to explicitly disclose the system wherein the workstation via the web browser 
submits an enterprise search that includes a combination of at least two parameters including 
current or historic, risk factor, vendor, component, fiinctional area, category, key word in risk 
title, key word in risk description, IPX, actionee, actionee/team lead/submitter or risk number and 
the server returns via the web browser an enterprise search results list including for at least one 
risk a combination of risk number, program, risk title, a current risk factor and its risk mitigation 
plan.. However, Beverina, in the same field of endeavor [risk management systems], teaches 
searches "by categories such as threat type, risk, score and others". Examiner construes risk to 
be the current risk factor, and threat type to be the category. Beverina fiirther teaches that users 
can "search and browse the data fi"om the individual VAT 200 sessions by categories such as 



Application/Control Number: 1 0/66 1 ,756 Page 2 1 

Art Unit: 4127 

threat type, risk, score and others." (][ 363) Figure 50 shows a calendar within that VAT 200 for 
entry of start and completion dates. A user therefore, would be able to do a mitigation search 
including the parameters of start date and complete date. Finally, Beverina teaches a web 
browser enterprise search (Fig. 3 via the search option). It would have been obvious to one 
skilled in the art at the time of invention to combine the combination of Abrahams in view of 
Examiner's Official Notice and Heinrich with the tools of Beverina. Motivation to combine is 
creation of a risk management system with easier access to information and ease of modification. 

As per claim 28, the combination of Abrahams, Beverina, Examiner's Official Notice and 
Heinrich fails to explicitly disclose the system wherein the workstation via the web browser 
submits a mitigation search that includes a combination of at least two parameters including a 
risk description, risk status, start date, original planned complete date, planned complete date and 
complete date and the server returns existing mitigation plans that satisfy the search parameters. 
However, Beverina, further teaches that users can "search and browse the data from the 
individual VAT 200 sessions by categories such as threat type, risk, score and others." (T| 363) 
Figure 50 shows a calendar within that VAT 200 for entry of start and completion dates. A user 
therefore, would be able to do a mitigation search including the parameters of start date and 
complete date. It would have been obvious to one skilled in the art at the time of invention to 
combine the risk management system taught by the combination of Abrahams in view of 
Examiner's Official Notice and Heinrich with the risk management system features of Beverina. 
Motivation for the combination is a system with more features that should produce better risk 
management analysis and techniques. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL P. LUX whose telephone number is (571)270-5 104. 
The examiner can normally be reached on Monday to Thursday from 7:30 AM to 5:00 PM EST. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Lynda Jasmin can be reached on 571-270-3033. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Elecfronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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